HIPAA Compliance News

Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center

Posted by HIPAA Journal

Employees of a Canandaigua, NY nursing home have been using their smartphones to take and share images and videos of at least one resident and share the content with others via Snapchat – a violation of HIPAA and a serious violation of patient privacy.

The privacy breaches occurred at Thompson Health’s M.M. Ewing Continuing Care Center and involved multiple employees. Thompson Health has already taken action and has fired several workers over the violations. Now the New York Department of Health and the state attorney general’s office have got involved and are conducting investigations.

The state attorney general’s Deputy Press Secretary, Rachel Shippee confirmed to the Daily Messenger that an investigation has been launched, confirming “The Medicaid Fraud Control Unit’s mission includes the protection of nursing home residents from abuse, neglect and mistreatment, including acts that violate a resident’s rights to dignity and privacy.”

Thompson Health does not believe the images/videos were shared publicly and sharing was restricted to a group of employees at the care center. Thompson Health is contacting the families of the residents impacted by the breach to offer an apology.

This is not the first time that Thomson Health has discovered an employee had taken pictures and videos without people’s knowledge. In January, a camera was discovered in a unisex bathroom at Thompson Hospital. When the camera was taken down it was discovered that the memory card had been removed. The matter was reported to law enforcement although the employee responsible has not been identified.

M.M. Ewing Continuing Care Center is far from the only nursing home to discover that residents have been photographed and videoed without consent with videos and images shared on social media networks.

An investigation into the sharing of images of abuse of nursing home residents was launched by ProPublica in 2015. The investigation revealed the practice was commonplace, with several nursing home employees discovered to have performed similar acts. The investigation revealed there had been 22 cases of photo sharing on Snapchat and other social media platforms and 35 cases in total since 2012.

More recently, a nursing assistant at the Parkside Manor assisted-living facility in Kenosha, WI., was discovered to have taken photos of an Alzheimer’s patient and posted the images of SnapChat. When the violation was discovered, the nursing assistant was fired for the HIPAA breach.

The high number of cases involving these types of HIPAA violations prompted the CMS to take action in 2016. The CMS sent a memo to state health departments reminding them of their responsibilities to ensure nursing home residents were not subjected to any form of abuse, including mental abuse such as the taking of demeaning and degrading photos and videos and having the multimedia content shared on social media networks.

The post Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center appeared first on HIPAA Journal.

Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation

Posted by HIPAA Journal

In 2016, Radnor, PA-based Main Line Health Inc., terminated an employee for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by accessing the personal records of a co-worker without authorization on two separate occasions.

In such cases, when employee or patient records are accessed without authorization, employees face disciplinary action which can include termination. Gloria Terrell was one such employee who was terminated for violating company policies and HIPAA Rules. Main Line Health fired Terrell for “co-worker snooping.”

Terrell filed an internal appeal over her termination and maintained she accessed the records of a co-worker in order to obtain a contact telephone number. Terrell said she needed to contact the co-worker to make sure a shift would be covered, and this constituted a legitimate business reason for the access as she was unable to find the phone list with employees’ contact numbers.

After firing Terrell, Main Line Health appointed a significantly younger person to fill the vacant position. Terrell took legal action against Main Line Health in September 2016 claiming age discrimination. In the lawsuit, Terrell claimed Main Line Health had experienced similar snooping incidents in the past and failed to apply the same rules for younger employees. Terrell claimed she knew of three younger co-workers who were not terminated following the discovery of HIPAA violations. However, Terrell could not substantiate those assertions and all three employees denied they had been involved in any improper accessing of patient records.

Main Line Health explained appropriate training on HIPAA Rules and company policies had been provided to staff on multiple occasions and that there were established policies related to the protection of confidential employee and patient information. Those policies clearly state disciplinary action will be taken if company policies and HIPAA Rules are violated, which may include immediate discharge from employment.

Main Line Health maintained Terrell was terminated for a legitimate, non-discriminatory reason, and since the case failed to raise a triable issue, Main Line Health was entitled to a summary judgement.

Terrell’s case (Gloria Terrell v. Main Line Health, Inc., et al – Civil action No. 17-3102) went to federal court in the Eastern District of Pennsylvania. U.S District Court Judge Richard Barclay Surrick recently granted Main Line Health’s summary judgement, ruling Terrell failed to establish a viable age discrimination claim.

“In short, other than her own subjective beliefs, Plaintiff has offered no evidence from which a reasonable factfinder could conclude that Defendant’s proffered reason for terminating her lacks credibility. She has provided no evidence to support a finding of discrimination,” wrote Judge Barclay Surrick. “Although one may have reservations about the wisdom of terminating an employee with Plaintiff’s experience and tenure for electronically accessing a phone number that had already been made available to co-workers in paper form, it is not for this Court to sit as a super-personnel department that re-examines an entity’s business decisions.”

The post Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation appeared first on HIPAA Journal.

Healthcare Worker Charged with Criminally Violating HIPAA Rules

Posted by HIPAA Journal

A former University of Pittsburgh Medical Center patient information coordinator has been indicted by a federal grand jury over criminal violations of HIPAA Rules, according to an announcement by the Department of Justice on June 29, 2018.

Linda Sue Kalina, 61, of Butler, Pennsylvania, has been charged in a six-count indictment that includes wrongfully obtaining and disclosing the protected health information of 111 patients.

Kalina worked at the University of Pittsburgh Medical Center and the Allegheny Health Network between March 30, 2016 and August 14, 2017. While employed at the healthcare organizations, Kalina is alleged to have accessed the protected health information (PHI) of those patients without authorization or any legitimate work reason for doing so.

Additionally, Kalina is alleged to have stolen PHI and, on four separate occasions between December 30, 2016, and August 11, 2017, disclosed that information to three individuals with intent to cause malicious harm.

Kalina was arrested following an investigation by the Federal Bureau of Investigation. The case was taken up by the Department of Justice and she is being prosecuted by Assistant United States Attorney, Carolyn Bloch, on behalf of the federal government.

If found guilty on all counts, Kalina faces up to 11 years in jail and could be ordered to pay a fine of up to $350,000. The sentence will be dictated by the seriousness of the offenses and any prior criminal history.

The Department of Justice is taking a hard line on individuals who violate HIPAA Rules and impermissibly access and disclose PHI with malicious intent. There have been several other cases in 2018 that have seen former healthcare workers indicted for criminal HIPAA violations, with three cases resulting in imprisonment.

In June 2018, a former employee of the Veteran Affairs Medical Center in Long Beach, CA, Albert Torres, 51, was sentenced to serve 3 years in jail for the theft of protected health information and identity theft. Torres pleaded guilty to the charges after law enforcement officers discovered the records of 1,030 patients in his home.

In April, 2018, former receptionist at a New York dental practice, Annie Vuong, 31, was sentenced to serve 2 to 6 years in jail for stealing the PHI of 650 patients and providing that information to two individuals who used the data to rack up huge debt’s in patients’ names.

In February, a former behavioral analyst at the Transformations Autism Treatment Center in Bartlett, TN, Jeffrey Luke, 29, was sentenced to 30 days in jail, 3 years supervised release, and was ordered to pay $14,941.36 in restitution after downloading the PHI of 300 current and former patients onto his personal computer.

The post Healthcare Worker Charged with Criminally Violating HIPAA Rules appeared first on HIPAA Journal.

OCR Draws Attention to HIPAA Patch Management Requirements

Posted by HIPAA Journal

Healthcare organizations have been reminded of HIPAA patch management requirements to ensure the confidentiality, integrity, and availability of ePHI is safeguarded.

Patch Management: A Major Challenge for Healthcare Organizations

Computer software often contains errors in the code that could potentially be exploited by malicious actors to gain access to computers and healthcare networks.

Software, operating system, and firmware vulnerabilities are to be expected. No operating systems, software application, or medical device is bulletproof. What is important is those vulnerabilities are identified promptly and mitigations are put in place to reduce the probability of the vulnerabilities being exploited.

Security researchers often identify flaws and potential exploits. The bugs are reported to manufacturers and patches are developed to fix the vulnerabilities to prevent malicious actors from taking advantage.

Unfortunately, it is not possible for software developers to test every patch thoroughly and identify all potential interactions with other software and systems and still release patches in a timely manner.

Therefore, IT departments must test the patches before they are applied. IT teams must also ensure that patches are applied on all vulnerable systems and no device is missed.

With so many IT systems and software applications in use and the frequency that patches are released, patch management can be a major challenge for healthcare organizations.

HIPAA Patch Management Requirements

The HHS’ Office for Civil Rights has recently drawn attention to the importance of patching in its June 2018 cybersecurity newsletter. OCR explains the HIPAA patch management requirements and how patching vulnerable software is an essential element of HIPAA compliance. OCR describes patch management as “the process of identifying, acquiring, installing and verifying patches for products and systems.”

“Security vulnerabilities may be present in many types of software including databases, electronic health records (EHRs), operating systems, email, applets such as Java and Adobe Flash, and device firmware,” wrote OCR. “Identifying and mitigating the risks unpatched software poses to ePHI is important to ensure the protection of ePHI and in fulfilling HIPAA requirements.”

Patch management is not specifically mentioned in the HIPAA Security Rule, although the identification of vulnerabilities is covered in the HIPAA administrative safeguards under the security management process standard.

Vulnerabilities to the confidentiality, integrity, and availability of ePHI should be identified through an organization’s risk analyses – 45 C.F.R. § 164.308(a)(1)(i)(A) – and subjected to HIPAA-compliant risk management processes – 45 C.F.R. § 164.308(a)(1)(i)(B).

Patch management is also covered under the security awareness and training standard – 45 C.F.R. § 164.308(a)(5)(ii)(B) – protection from malicious software – and the evaluation standard – 45 C.F.R. § 164.308(a)(8).

Discovering Vulnerabilities and Possible Mitigations

To ensure patches can be applied, it is essential for IT teams to have a complete inventory of all systems, devices, operating systems, firmware, and software installed throughout the organization. Regular scans should also be conducted to identify unauthorized software – shadow IT – that has been installed.

The United States Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provide up to date information on new vulnerabilities, mitigations, and patches. Covered entities should regularly check their websites and, ideally, sign up for alerts. Information on vulnerabilities and patches should also be obtained from software vendors and medical device manufacturers.

The Patch Management Process

In order for a HIPAA-covered entity to ensure HIPAA patch management requirements are satisfied and vulnerabilities to the confidentiality, integrity, and availability of ePHI are reduced to an acceptable level, robust patch management policies and procedures need to be developed and implemented.

OCR suggests the patch management process should include:

  • Evaluation: Determine whether patches apply to your software/systems.
  • Patch Testing: Test patches on an isolated system to determine if there are any unforeseen or unwanted side effects, such as applications not functioning properly or system instability.
  • Approval: Following testing, approve patches for deployment.
  • Deployment: Deploy patches on live or production systems.
  • Verification and Testing: After deployment, continue to test and audit systems to ensure patches have been applied correctly and that there are no unforeseen side effects.

Resources:

NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies (Revision 3) is an excellent resource covering best practices for patch management.

The post OCR Draws Attention to HIPAA Patch Management Requirements appeared first on HIPAA Journal.

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Posted by HIPAA Journal

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems.

Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri.

Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software.

In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages containing highly sensitive information including the page below:

“RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (doctor’s name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA”

It was not necessary to be in close vicinity of a hospital to intercept the pages and view PHI. Pages were picked up from hospitals and medical centers in Blue Springs, MO; Harrisonville, MO; Liberty, MO; Kansas City, KS; Wichita, KS; and even hospitals further away in Kentucky and Michigan.

Reporters from the Kansas City Star made contact with several of the patients whose information was exposed to confirm the information was correct. Understandably, the patients were shocked to find out that their sensitive information had been obtained by unauthorized individuals, as were the hospitals.

While not all hospitals responded, some of those that did said they are working with their vendors to correct the problem to ensure that pages cannot be intercepted in the future.

Intercepting pages is illegal under the Electronic Communications Protection Act, although hacking healthcare networks or conducting phishing campaigns to obtain protected health information is similarly illegal, yet that does not stop hackers.

HIPAA-covered entities should take note of the recent privacy violations and should consider implementing a secure messaging solution in place of pagers; however, in the meantime they should contact their vendors and explore the options for encrypting pages to prevent ePHI from being intercepted.

The post Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist appeared first on HIPAA Journal.

District Court Ruling Confirms No Private Cause of Action in HIPAA

Posted by HIPAA Journal

Patients who believe HIPAA Rules have been violated can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights, but they do not have the right to take legal action, at least not for the HIPAA violation. There is no individual private cause of action under HIPAA law.

Several patients have filed lawsuits over alleged HIPAA violations, although the cases have not proved successful. A recent case has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed.

Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that while at the hospital on June 15, 2017, a LabCorp employee instructed her to enter her protected health information at a computer intake station.

Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different computer intake station and took a photograph of the two computer intake stations.

On July 3, 2017, Ms. Lee-Thomas submitted a complaint with the hospital alleging a violation of HIPAA and filed a complaint with the HHS’ Office for Civil Rights. Later, a complaint was filed with the District of Columbia Office of Human Rights (OHR) claiming the hospital had failed to make appropriate accommodations for patients to preserve their privacy.

On November 15, 2017, the HHS informed Ms. Lee-Thomas that her claim would not be pursued and OHR similarly dismissed her complaint on November 28, 2017, in both cases on the grounds that she failed to state a claim. OHR suggested Ms. Lee-Thomas had the right to bring a private action before the D.C. Superior Court and she proceeded to do so.

LabCorp removed the case to the U.S. Court of Appeals for the District of Columbia Circuit, and filed a motion to dismiss, again for the failure to state a claim. Ms. Lee-Thomas failed to respond to the motion to dismiss.

In a June 15 ruling, District Court Judge Rudolph Contreras confirmed that HIPAA does permit financial penalties to be issued when patients’ privacy is violated in breach of HIPAA Rules, but civil and criminal penalties are pursued by the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. In his ruling, Judge Contreras confirmed there is no private cause of action in HIPAA.

Even if there was a private cause of action, it would be unlikely that this case would have proved successful as no harm appears to have been caused as a result of the alleged HIPAA violation.

While lawsuits are likely to be dismissed when based on HIPAA violations alone, that does not mean legal action cannot be taken by patients whose privacy has been violated. There is no private cause of action in HIPAA, but the privacy of personal information is covered by state laws.

Laws have been passed in all 50 states that require notifications to be issued to consumers when their personal information has been exposed, and several states also require companies to implement ‘reasonable safeguards’ to ensure personal data of state residents are protected.

A HIPAA violation can be reported to OCR to investigate, and action may be taken against the covered entity in question by OCR, but if the sole basis of any legal action is a violation of HIPAA Rules, the case is unlikely to be successful.

Victims of privacy violations who wish to take legal action should look at potential violations of state laws rather than HIPAA violations.

The post District Court Ruling Confirms No Private Cause of Action in HIPAA appeared first on HIPAA Journal.

Overdose Prevention and Patient Safety Act Passed by House

Posted by HIPAA Journal

The Overdose Prevention and Patient Safety Act – H.R. 6082 – aims to ease restrictions on the sharing of health records of patients with addictions, aligning 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records – with HIPAA.

Currently, 42 CFR Part 2 only permits the disclosure of health records of patients with substance abuse disorder without written consent to medical staff in emergency situations, to specified individuals for research and program evaluations, or if required to do so by means of a court order.

Under current regulations, a special release form must be signed by a patient authorizing the inclusion of substance abuse disorder information in their medical record.

Preventing doctors from having access to a patient’s entire medical history means decisions could be taken without full understanding of their potential consequences. If details of substance abuse disorder can be accessed, doctors will be able to make more informed decisions which will help them to safely and effectively treat patients.

The Overdose Prevention and Patient Safety Act allows the health records of substance abuse disorder patients to be disclosed without written consent from patients for the purposes of treatment, payment, and healthcare operations, aligning with the HIPAA Privacy Rule.

Additionally, the criminal penalties for violations involving substance abuse disorder records would align with the penalty structure of HIPAA and would not be treated separately.

Privacy protections are also enhanced for patients, which will prohibit the use of SUD information in criminal and civil prosecution cases, will protect against discrimination by prohibiting the sharing of substance abuse discover information with employers and landlords, and would require notifications to be issued in the event of the breach of that information in line with the requirements of the HITECT Act.

The House passed the Overdose Prevention and Patient Safety Act with a vote of 357-57. The Act will now go to the senate chamber for consideration.

The post Overdose Prevention and Patient Safety Act Passed by House appeared first on HIPAA Journal.

Is Rackspace HIPAA Compliant?

Posted by HIPAA Journal

The Windcrest, TX-based managed cloud computing company Rackspace offers public cloud and email hosting services, but can they be used by HIPAA-covered entities without violating HIPAA Rules? Is Rackspace HIPAA compliant?

Will Rackspace Sign a Business Associate Agreement with HIPAA Covered Entities?

Rackspace is aware that by allowing healthcare organizations to use its services, the company is classed as a HIPAA business associate and must agree to comply with the HIPAA Privacy and Security Rules.

Rackspace has obtained HITRUST and HITRUST CSF certifications which demonstrate the company meets the data and privacy security standards demanded by HIPAA for managed public, private, and hybrid cloud environments. The company uses extended SSL encryption and meets PCR DSS data security requirements.

The company provides assistance to healthcare companies to help them use its services and comply with HIPAA Rules and develop an approach that satisfies HIPAA Rules and meets their business needs.

Rackspace will also sign a business associate agreement for its dedicated hosting services, which is included by default for customers in the healthcare industry.

Is Rackspace HIPAA Compliant?

Rackspace is prepared to sign a business associate agreement with healthcare organizations and has implemented all the necessary safeguards to ensure that its hosting services can be used by healthcare organizations without violating HIPAA Rules.

Rackspace can therefore be considered to be a HIPAA complaint hosting company, provided customers use its dedicated hosting services and obtain a business associate agreement prior to using its hosting services in connection with any PHI.

However, it is the responsibility of all users to ensure that the hosting services are configured correctly. Rackspace cannot determine whether its customers are using its services in a manner that complies with HIPAA Rules.

Covered entities must take full responsibility for ensuring the requirements of HIPAA are satisfied and appropriate safeguards are maintained.

The post Is Rackspace HIPAA Compliant? appeared first on HIPAA Journal.

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Posted by HIPAA Journal

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated.

While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access.

The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident.

Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile case.”

The accessing of medical records without any legitimate work reason for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA only permits the accessing of PHI by employees for treatment, payment, or healthcare operations.

Any healthcare employee discovered to have violated HIPAA Rules faces disciplinary action which can involve suspension, termination, loss of license and, potentially, criminal charges.

There have been several recent cases where employees have been fired snooping on the medical records of high profile patients.

In February 2018, 13 employees of the Medical University of South Carolina were fired for HIPAA violations after they accessed the medical records of patients without authorization, many of whom accessed the medical records of high profile patients.

One of the most recent actions taken against a healthcare employee for a HIPAA violation was taken by the New York nursing board’s Office for Professional Discipline. Martha Smith-Lightfoot was provided with a list of patients prior to leaving her employment at University of Rochester Medical Center (URMC) to take up a new position at Greater Rochester Neurology. Smith-Lightfoot provided that list to her new employer and patients were contacted in an attempt to solicit business.

Smith-Lightfoot signed a consent order with the nursing board admitting the violation and had her license to practice suspended for one year, received a stayed suspension for another year, and three years of probation when she returns to practice.

Snooping on medical records is likely to be discovered as logs are created when health records are accessed. Those logs are periodically checked and if inappropriate PHI access is discovered it is likely to result in termination and will make it hard to obtain future employment in healthcare.

The post Washington Health System Suspends Several Employees for Inappropriate PHI Access appeared first on HIPAA Journal.